---------------------------------------------------------------
HEWLETT-PACKARD COMPANY SECURITY ADVISORY: #039
Originally issued: 10 May '02
---------------------------------------------------------------
The information in the following Security Advisory should be acted
upon as soon as possible. Hewlett-Packard Company will not be
liable for any consequences to any customer resulting from the
customer's failure to fully implement instructions in this Security
Advisory as soon as possible.
---------------------------------------------------------------
PROBLEM: Security vulnerability in Netfilter.
PLATFORM: Any system running HP Secure OS software for Linux Release 1.0
DAMAGE: Potential leak of information about network configuration
SOLUTION: Do not compile and enable Netfilter.
MANUAL ACTIONS: None
AVAILABILITY: Not applicable
---------------------------------------------------------------
A. Background
Netfilter ("iptables") can leak information about how port
forwarding is done in unfiltered ICMP packets.
B. Fixing the problem
Hewlett-Packard Company does not support Netfilter ("iptables")
in version A.01.00 of the software. Therefore, any workaround or
fix is not applicable to HP Secure OS for Linux.
For more details on this vulnerability and specifically how it
affects Redhat Linux, see the following Redhat Security Advisory:
2002-05-09 RHSA-2002:086 Netfilter information leak
http://rhn.redhat.com/errata/RHSA-2002-086.html
C. To subscribe to automatically receive future NEW HP Security
Bulletins from the HP IT Resource Center via electronic
mail, do the following:
Use your browser to access the HP IT Resource Center page
at:
http://itrc.hp.com
Use the 'Login' tab at the left side of the screen to login
using your ID and password. Use your existing login or the
"Register" button at the left to create a login. Remember to
save the User ID assigned to you, and your password. This
login provides access to many useful areas of the ITRC.
In the leftmost frame select "Maintenance and Support".
Under the "Notifications" section (near the bottom of
the page), select "Support Information Digests".
To -subscribe- to future HP Security Bulletins or other
Technical Digests, click the check box (in the left column)
for the appropriate digest and then click the "Update
Subscriptions" button at the bottom of the page.
or
To -review- bulletins already released, select the link
(in the middle column) for the appropriate digest.
D. To report new security vulnerabilities, send email to
security-alert@hp.com
Please encrypt any exploit information using the
security-alert PGP key, available from your local key
server. You may also get the security-alert PGP key by
sending a message with a -subject- (not body) of
'get key' (no quotes) to security-alert@hp.com.
Permission is granted for copying and circulating this
Advisory to Hewlett-Packard (HP) customers (or the Internet
community) for the purpose of alerting them to problems,
if and only if, the Advisory is not edited or changed in
any way, is attributed to HP, and provided such reproduction
and/or distribution is performed for non-commercial purposes.
Any other use of this information is prohibited. HP is not
liable for any misuse of this information by any third party.
---------------------------------------------------------------
-----End of Document ID: HPSBTL0205-039--------------------------------------